[nsd-users] TSIG issue

W.C.A. Wijngaards wouter at nlnetlabs.nl
Mon Apr 14 08:57:12 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ihsan,

On 04/14/2014 10:52 AM, W.C.A. Wijngaards wrote:
> Hi İhsan,
> 
> On 04/14/2014 07:49 AM, İhsan Doğan wrote:
>> Hi,
> 
>> I'm running into a TSIG issue with NSD 4.0.3. The master runs NSD
>>  4.0.3 on Solaris 10 Sparc, the slave server runs NSD 4.0.3 on 
>> FreeBSD 10 amd64.
> 
>> On the master I have specified: zone: [...] notify: notify:
>> x.x.x.x foo_key provide-xfr: provide-xfr: x.x.x.x foo_key key:
>> name: "foo_key" algorithm: hmac-md5 secret:
>> "xxxxxxxxxxxxxxxxxxxxxxxx"
> 
>> And on the slave: zone: [...] allow-notify: y.y.y.y foo_key 
>> request-xfr: AXFR y.y.y.y foo_key key: name: "foo_key"
>> algorithm: hmac-md5 secret: "xxxxxxxxxxxxxxxxxxxxxxxx"
> 
>> This setup works fine if the secondary is running Solaris 10 x86,
>>  but unfortunately not with FreeBSD 10. As the setup works if I 
>> specify NOKEY, it seems to be something wrong with TSIG.
> 
>> Any idea what is going wrong here?
> 
> Could it be that FreeBSD's crypto implementation blacklists the
> md5 algorithm because it is considered too weak?  I.e. the crypto
> library refuse the operation.  If so, use something like
> hmac-sha256.
> 
> NSD4 does not really have different code in TSIG compared to NSD3,
> by the way.  So the exact NSD version number is unlikely to make a 
> difference.
> 
> Other than that a mistake in the freebsd config file, eg.
> different secret or different key name.

And one that trips people up: the time may be out of sync by more than
300 seconds.  The TSIG algorithm specifies that this is disallowed
(replay of old data).

Best regards.
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTS6LoAAoJEJ9vHC1+BF+NukwP/094el/stsAxZiKA6O1NtFVO
kUduzeQ4uGIqmWcBAEOHNyKREkYj/F4LjzRFkLWmnl8GnxlN6N2SDJAmCrHYXq/0
JN4gZvHS6RC2GLXgDS1NYZRvANiY7YcgA/qFPeu0p3R8rIS8w9u5vDm6I3wh/lys
3zcDqx0B/i0GLT6ZSIpGbvUR5FBQxAR6UfFlzPmFjXilrgCG5qT9OliU8mif+yvL
DEMxSyO9/xMIPqIm/M5e0hbg4PXiaX2qbjdZ59X+lxt867Vb0GBr8nGbkZDlHJCp
qwEq4IZNE9jkypx/1CzJfgIxCAgsMQQ5DYdVHQpTrHvYGHgE8/fUehwt0IYy0p+7
j3cFwxbBaqgQHeCLKGvPdS8Niu7AJF0k9FS6X5vJ3hjSFopd7GIVgHsz4ZakbAE+
Q6Ihnf8J5/IvHa1QDLcYMcndr3QxEJecQJ3sIJvqhIUg5gFSGvUy7GYxVQdcmWb/
PCLl0/31ht1uXFDFsrrFsYFBxWeD5fp/Hnh58R+ufjeQ7LtRz4xlyg8GCy93OPK2
6HyNF1vfO8S5sr74AOafxqcAX5QSIIAMiX1EN1XB+Cv+i1Vc3RD0a38HBzpKV5fq
+KuRxGVrsho0b3c4PWp/dSXE8CGCIbLwUKkr/vVn7NBoC+wLvoRhoGs4JQhFk4Mn
FXxKsoqyepOWoAy4HUG0
=xFzC
-----END PGP SIGNATURE-----

More information about the nsd-users mailing list